From Debian package 0.0.20080702-4
0010-Allow-users-read-access-to-var-lib-apt-lists.patch
0016-Debian-specific-changes-for-init_t.patch (part of)

Allow initrc_t and user domains to read apt cache

Index: policy/modules/system/init.te
===================================================================
--- policy/modules/system/init.te.orig
+++ policy/modules/system/init.te
@@ -461,6 +461,9 @@
         # /etc/network/if-up.d/mountnfs wants to mkdir
         # /var/run/network/mountnfs as a poor mans lock
         allow initrc_t var_run_t:dir create;
+
+	# for lsb_release which calls apt-cache
+	apt_read_cache(initrc_t)
 ')
 
 ifdef(`distro_gentoo',`
Index: policy/modules/system/userdomain.if
===================================================================
--- policy/modules/system/userdomain.if.orig
+++ policy/modules/system/userdomain.if
@@ -117,6 +117,14 @@
 		# Allow making the stack executable via mprotect.
 		allow $1_t self:process execstack;
 	')
+
+	ifdef(`distro_debian', `
+		# allow reading /var/lib/apt/lists
+		apt_read_db($1_t)
+		# allow reading /var/cache/apt - should not be needed but
+		# does not really matter
+		apt_read_cache($1_t)
+	')
 ')
 
 #######################################